In the computer field it is known to employ authentication techniques to establish trust or confidence as a condition to allowing access to protected operations. One simple but well known authentication technique uses passwords that are handled confidentially and supposedly known to only a user and a computer system to which the user is to be authenticated. During authentication, the user presents the password, and the computer system checks the presented password against a password that is stored in association with an identifier of the user. If the values match, authentication has occurred and access to protected operation(s) is granted. Many other forms of authentication are known, usable in a variety of types of systems and operating circumstances.
One particular type of computer system employs so-called “virtualization” techniques in which physical host computer hardware executes instances of “virtual machines”. A virtual machine is a software construct that presents a machine-like interface to a guest operating system and application program(s) executing in the context of the virtual machine, isolated from similar programs executing in the context of other virtual machines executing on the host computer hardware. One aspect of virtualization technology is the ability to very quickly and flexibly deploy new virtual machines as needed to accommodate changes in a system's workload. As an example, virtual machines can be used to deploy client type machines usable by a set of users in an organization. A new client machine is brought into service by instantiating a new client virtual machine on the existing host computer hardware. The new client virtual machine may be created as a clone of a standardized “template” client virtual machine defined in the system.
It should be appreciated that systems employing virtualization technology, especially those having a client-server structure and a continuously changing population of client virtual machines (VMs), may require an existing server VM to authenticate a new client VM before permitting the new client VM to fully join the system and receive services provided in the system. For example, it may be necessary that the server VM trust that the new client VM is located on the same virtual sub-network as the server VM before the client VM can gain access to services offered by the server VM. However, incoming connection requests which appear to be coming from the same virtual network may in fact be “spoofed” requests from inauthentic client VMs. The server VM may not be able to rely solely on the information contained in a connection request to arrive at a desired level of trust in a new client VM.
There is, therefore, a need for an authentication technique to deal with the above problem of “spoofed” requests from inauthentic client VMs.